12
Security Scenarios – Example 2
Medical Device Cybersecurity
• Patient Safety – plenty of security research but no reported case of patient harm
• But feasible and plausible – no need to panic, but proceed with a sense of urgency
• Care Delivery – many reported, e.g. CathLab shutdown; WannaCry (UK NHS)
• Device as the weakest link – reported beachhead attacks
• Other risks: privacy, reputation, financial
• Likely scenario – incident resulting from a non-targeted event
What are the Risks?
• FDA Pre and Post Market Cybersecurity Guidance
• Developing efforts in China, Canada, EU
• Healthcare Providers are launching Cybersecurity Initiatives
• Device Manufacturers developing Security Strategy and Expertise
• Stakeholder cooperation – e.g. vulnerability sharing
Industry and Regulatory Action
• Insufficient for medical devices:
• Consider non-PHI risks:
• data not attributed to specific or identifiable patients
• technical device data (calibration, safety limits …)
Note: HIPAA C-I-A limited to PHI